Re: Monitoring roles patch
| От | Dave Page |
|---|---|
| Тема | Re: Monitoring roles patch |
| Дата | |
| Msg-id | CA+OCxow3WHcG6e_+g5vZ3E=O-+BUS_X=Zw4YORMMp7dez0R=1w@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Monitoring roles patch (Mark Dilger <hornschnorter@gmail.com>) |
| Список | pgsql-hackers |
On Tue, Mar 28, 2017 at 1:52 PM, Mark Dilger <hornschnorter@gmail.com> wrote: > >> On Mar 28, 2017, at 9:55 AM, Robert Haas <robertmhaas@gmail.com> wrote: >> >> On Tue, Mar 28, 2017 at 12:47 PM, Dave Page <dpage@pgadmin.org> wrote: >>>> I don't see any precedent in the code for having a hardcoded role, other than >>>> superuser, and allowing privileges based on a hardcoded test for membership >>>> in that role. I'm struggling to think of all the security implications of that. >>> >>> This would be the first. >> >> Isn't pg_signal_backend an existing precedent? > > Sorry, I meant to say that there is no precedent for allowing access to data based > on a hardcoded test for membership in a role other than superuser. This doesn't allow access to data, except through monitoring of queries that are executed (e.g. full access to pg_stat_activity) - which you can avoid by not using the role if that's your choice. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-hackers по дате отправления: